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SECURE AND RECOVERABLE DATABASE FOR ON-LINE 
VALUE-BEARING ITEM SYSTEM 

5 

CROSS-REFERENCE TO RELATED APPLICATIONS 

This patent application claims the benefit of the filing 

date of United States Provisional Patent Applications Serial Nos . 

60/160,112, filed October 18, 1999 and entitled "INTERNET POSTAL 
10 METERING SYSTEM"; 60/160,491, filed October 20, 1999 and entitled 

"SECURE AND RECOVERABLE DATABASE FOR ON-LINE POSTAGE SYSTEM"; 

60/160,703, filed October 20, 1999 and entitled "SCALABLE ON-LINE 

POSTAGE SYSTEM"; 60/160,563, filed October 20, 1999 and entitled 

"SERVER ARCHITECTURE FOR ON-LINE POSTAGE SYSTEM," the entire 
15 contents of which are hereby expressly incorporated by reference. 

FIELD OF THE INVENTION 

The present invention relates to secure printing of value- 
bearing items (VBI) preferably, such as postage, tickets, and 
20 coupons. More specifically, the invention relates to a secure 
and recoverable on-line system for validating and printing VBI 
in a Wide Area Network (WAN) environment. 

BACKGROUND OF THE INVENTION 

25 A considerable percentage of the United States Postal 

Service (USPS) revenue is from metered postage. Metered postage 
is generated by utilizing postage meters that print a special 
mark, also known as postal indicia, on mail pieces. Generally, 
printing postage and any VBI can be carried out by using 

30 mechanical meters or computer-based systems. 

With respect to computer-based postage processing systems, 
the USPS under the Information-Based Indicia Program (IBIP) has 
published specifications for IBIP postage meters that identify 
a special purpose hardware device, known as a Postal Security 

35 Device (PSD) that is generally located at a user's site. The 
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Device (PSD) that is generally located at a user's site. The 
PSD, in conjunction with the user's personal computer and 

5 printer, functions as the IBIP postage meter. The USPS has 
published a number of documents describing the PSD 
specifications, the indicia specifications and other related and 
relevant information. There are also security standards for 
printing other types of VBIs, such as coupons, tickets, gift 

10 certificates, currency, voucher and the like. 

A significant drawback of existing hardware-based systems 
is that a new PSD must be locally provided to each new user, 
which involves significant cost. Furthermore, if the additional 
PSD breaks down, service calls must be made to the user location. 

15 In light of the drawbacks in hardware-based postage metering 
systems, a software-based system has been developed that does not 
require specialized hardware for each user. The software-based 
system meets the IBIP specifications for a PSD, using a 
centralized server-based implementation of PSDs utilizing one or 

20 more cryptographic modules. The system also includes a database 
for all users' information. The software-based system, however, 
has brought about new challenges. 

The system should also be able to handle minor and 
catastrophic database failures without impacting the integrity 

25 of the on-line VBI system and provide for recovery of the 
database to minimize or eliminate the loss of data. In a 
hardware-based system, security is generally handled by the local 
hardware piece, that is unique to each user and includes a 
cryptographic module that encrypts that user's information. 

30 System recovery can generally be handled by replacing the 
corrupted local hardware pieces for each user that stores that 
user's information, however, data specific to that user may be 
lost. Nevertheless, for a software-based system, the system need 
to be configured to handle such database failures without 

35 sacrificing a major data loss and system security. 
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Therefore, there is a need for a new method and apparatus 
for implementation of an IBIP postage meter and other value- 

5 bearing items over a WAN that does not require the special 
purpose hardware device at the user site. Furthermore, there is 
a need for a secure and recoverable database in an on-line VBI 
system that is capable of preventing unauthorized access and 
handling minor and catastrophic database failures without 

10 impacting the integrity of the system. 

SUMMARY OF THE INVENTION 

In accordance with the present invention, a secure database 
in an on-line VBI system has been designed that has the ability 

15 to recover data in case of a database failure. The secure 
database includes account balances and other information for all 
of the on-line value-bearing item system customers and is capable 
of preventing access by unauthorized users. Also, a secure 
communication network is in operation to prevent unauthorized 

20 access to the users' data stored in the database. Additionally, 
the system is capable of handling minor and catastrophic database 
failures without impacting the integrity of the on-line value- 
bearing item system. The system is designed to provide for 
recovery of the database and minimize or eliminate the loss of 

25 data. 

The on-line value-bearing item system is designed to prevent 
unauthorized electronic access to a database subsystem. One 
level of security is a firewall, which should prevent almost all 
unauthorized access to the database subsystem. Another level of 

30 security is achieved by protecting the database subsystem by a 
postal server subsystem. Preferably, the postal server subsystem 
controls all communications with the database subsystem by 
executing an authentication algorithm to prevent unauthorized 
access. Another level of security is achieved by encrypting 

35 preferably, all communications between the client and the postal 
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server subsystem. The encryption-decryption function is employed 
using commonly known algorithms, such as, Rivest, Shamir and 

5 Adleman ("RSA") public key encryption, DES, Triple-DES, Pseudo- 
random number generation, and the like algorithms. Additionally, 
DSA signature, and SHA-1 hashing algorithms may be used to 
digitally sign a postage indicium or other VBI indicia. 

Yet another measure of security is the interaction between 

10 a cryptographic module and the database subsystem whenever a PSD 
transaction is initiated. The cryptographic module and the 
database subsystem cross-verify the last PSD transaction before 
proceeding with the next PSD transaction. If the last 
transaction record in the cryptographic module and the database 

15 subsystem do not match, then the on-line value-bearing item 
system shuts down until the situation can be investigated. This 
verification process protects against attempts of unauthorized 
individuals to replace the database subsystem. The registers in 
the cryptographic modules are cryptographically protected to 

20 achieve another level of security. 

Furthermore, the database subsystem is designed to allow for 
recovery of data in case of minor and catastrophic failures. The 
primary central database server in the database subsystem 
preferably has a live standby backup database server which 

25 mirrors its operation. In addition, the on-line value-bearing 
item system off-loads to a backup system, such as a backup tape 
drive or any other type of back up system, an audit log of all 
transactions several times every hour, preferably once every 
couple of minutes, to handle minor system failures. 

30 Preferably, every day, a data backup occurs and a backup 

tape is stored off-site along with the transaction download. In 
case of catastrophic failure, e.g., when the central database is 
not usable due to earthquake or fire, the data backup tape is 
used with the transaction log and a cryptographic module to bring 

35 the system back to its original state. 
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One aspect of the present invention describes a secure on- 
line system for printing VBI . The system comprises a server 

5 system capable of communicating with the client system over a 
communication, a secure database remote from the users including 
information about the users; computer executable code for 
password authentication to prevent unauthorized access to the 
database; and a cryptographic module for authenticating any of 

10 the one or more users. 

It is to be understood that the present invention is useful 
for printing not only postage, but any value bearing items, such 
as coupons, tickets, gift certificates, currency, voucher and the 
like. 

15 

BRIEF DESCRIPTION OF THE DRAWINGS 

The objects, advantages and features of this invention will 
become more apparent from a consideration of the following 
detailed description and the drawings, in which: 
20 FIG. 1 is a block diagram for the client /server architecture 

of one embodiment of the present invention; 

FIG. 2 is a block diagram of a remote user computer 
connected to a server via Internet; 

FIG. 3 is a block diagram of one embodiment of postage 
25 servers ; 

FIG. 4 is a block diagram of servers, databases, and 
services provided by one embodiment of the present invention; 

FIG. 4A is a block diagram of servers, databases, and 
services provided by one embodiment of the present invention; 
30 FIG. 5 is a block diagram of further servers, databases, and 

services provided by one embodiment of the present invention; 

FIG. 6 is a block diagram of some of the hardware components 
that provide security and back up to a database; and 

35 
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FIG. 7 is a block diagram of a client software, a 
cryptographic module, and a typical transaction between them 
5 during an operational state. 

DETAILED DESCRIPTION 

In one aspect, the system and method of the present 
invention prevent unauthorized electronic access to a database 

10 subsystem and secure customers' related data, among others. One 
level of security is achieved by protecting the database 
subsystem by a postal server subsystem. The postal server 
subsystem controls preferably, all communications with the 
database subsystem by executing an authentication algorithm to 

15 prevent unauthorized access. Another level of security is 
achieved by encrypting preferably, all communications between the 
client system and the postal server subsystem. The encryption- 
decryption function is employed using commonly known algorithms, 
such as, Rivest, Shamir and Adleman ( XN RSA") public key 

20 encryption, DES, Triple-DES, Pseudo-random number generation, and 
the like algorithms. Additionally, DSA signature, and SHA-1 
hashing algorithms may be used to digitally sign a postage 
indicium . 

Another measure of security is the interaction between a 
25 cryptographic module and the database subsystem whenever a PSD 
transaction (security device transaction) is initiated. The 
cryptographic module and the database subsystem cross-verify the 
last PSD transaction (security device transaction) before 
proceeding with the next PSD transaction. If the last 
30 transaction record in the cryptographic module and the database 
subsystem do not match, then the on-line VBI system shuts down 
until the situation can be investigated. This verification 
process protects against attempts of unauthorized individuals to 
replace the database subsystem. The registers in the 

35 
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cryptographic modules are cryptographically protected to achieve 
another level of security. 

5 An exemplary on-line postage system is described in U.S. 

patent Application No. 09/163,993 filed September 15, 1998, the 
entire contents of which are hereby incorporated by reference 
herein. The on-line postage system includes an e protocol that 
operates in conjunction with the USPS requirements. The system 

10 utilizes on-line postage system software comprising user code 
that resides on a client system and controller code that resides 
on a server system. The on-line postage system allows a user to 
print a postal indicium at home, at the office, or any other 
desired place in a secure, convenient, inexpensive and fraud-free 

15 manner. The system comprises a user system electronically 
connected to a server system, which in turn is connected to a 
USPS system. 

Each of the cryptographic modules may be available for use 
by any user. When a user requests a PSD service, one of the 

20 available modules is loaded with data belonging to the user's 
account and the transaction is performed. When a module is 
loaded with a user's data , that module becomes the user's PSD. 
The database record containing each user's PSD data is referred 
to as the "PSD package" (security device transaction data) . 

25 After each PSD transaction is completed, the user's PSD package 
is updated and returned to a database external to the module. 
The database becomes an extension of the module's memory and 
stores not only the items specified by the IBIP for storage 
inside the PSD, but also the user's personal cryptographic keys 

30 and other security relevant data items (SRDI) and status 
information needed for continuous operation. Movement of this 
sensitive data between the modules and the database is secured 
to ensure that PSD packages could not be compromised. 

In one embodiment, the server system is remotely located in 

35 a separate location from the client system. All communications 
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between the client and the server are preferably accomplished via 
the Internet. FIG. 1 illustrates a remote client system 220a 

5 connected to a server system 102 via the Internet 221. The 
client system includes a processor unit 223, a monitor 230, 
printer port 106, a mouse 225, a printer 235, and a keyboard 224. 
Server system 102 includes Postage servers 109, Database 130, and 
cryptographic modules 110. 

10 An increase in the number of servers within the server 

system 102 will not negatively impact the performance of the 
system, since the system design allows for scalability. The 
Server system 102 is designed in such a way that all of the 
business transactions are processed in the servers and not in the 

15 database. By locating the transaction processing in the servers, 
increases in the number of transactions can be easily handled by 
adding additional servers. Also, each transaction processed in 
the servers is stateless, meaning the application does not 
remember the specific hardware device the last transaction 

20 utilized. Because of this stateless transaction design, multiple 
servers can be added to each appropriate subsystem in order to 
handle increased loads. 

Furthermore, each cryptographic module is a stateless 
device, meaning that a PSD package can be passed to any device 

25 because the application does not rely upon any information about 
what occurred with the previous PSD package. Therefore, multiple 
cryptographic modules can also be added to each appropriate 
subsystem in order to handle increased loads. A PSD package for 
each cryptographic module is a database record, stored in the 

30 server database, that includes information pertaining to one 
customer' s service that would normally be protected inside a 
cryptographic module. The PSD package includes all data needed 
to restore the PSD to its last known state when it is next loaded 
into a cryptographic module. This includes the items that the 

35 IBIP specifications require to be stored inside the PSD, 
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information required to return the PSD to a valid state when the 
record is reloaded from the database, and data needed for record 

5 security and administrative purposes. 

In one embodiment, the items included in a PSD package 
include ascending and descending registers (the ascending 
register "AR" records the amount of postage that is dispensed or 
printed on each transaction and the descending register "DR" 

10 records the value or amount of postage that may be dispensed and 
decreases from an original or charged amount as postage is 
printed.), device ID, indicia key certificate serial number, 
licensing ZIP code, key token for the indicia signing key, the 
user secrets, key for encrypting user secrets, data and time of 

15 last transaction, the last challenge received from the client, 
the operational state of the PSD, expiration dates for keys, the 
passphrase repetition list and the like. 

As a result, the need for specific PSDs being attached to 
specific cryptographic modules is eliminated. A Postal Server 

20 subsystem provides cryptographic module management services that 
allow multiple cryptographic modules to exist and function on one 
server, so additional cryptographic modules can easily be 
installed on a server. The Postal Sever subsystem is easy to 
scale by adding more cryptographic modules and using commonly 

25 known Internet load-balancing techniques to route inbound 
requests to the new cryptographic modules. 

Referring back to FIG. 1, Postage servers 109 include one 
or more Postal servers and provide indicia creation, account 
maintenance, and revenue protection functionality for the 

30 exemplary on-line postage system. The Postage servers 109 may 
include several physical servers in several distinct logical 
groupings, or services as described below. The individual 
servers could be located within one facility, or in several 
facilities, physically separated by great distance but connected 

35 by secure communication links. 
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Cryptographic modules 110 are responsible for creating PSDs 
and manipulating PSD data to protect sensitive information from 

5 disclosure, generating the cryptographic components of the 
digital indicia, and securely adjusting the user registration. 
When a user wishes to print VBI , for example, postage or 
purchase additional VBI or postage value, a user state is 
instantiated in the PSD implemented within one of the 

10 cryptographic modules 110. Database 111 includes all the data 
accessible on-line for indicia creation, account maintenance, and 
revenue protection processes. Postage servers 109, Database 130, 
and cryptographic modules 110 are maintained in a physically 
secured environment, such as a vault. 

15 FIG. 2 shows a simplified system block diagram of a typical 

Internet client /server environment used by an on-line VBI system 
in one embodiment of the present invention. PCs 220a-220n used 
by the postage purchasers are connected to the Internet 221 
through the communication links 233a-233n. Each PC has access 

20 to one or more printers 235. Optionally, as is well understood 
in the art, a local network 234 may serve as the connection 
between some of the PCs, such as the PC 220a and the Internet 221 
or other connections. Servers 222a-222m are also connected to 
the Internet 221 through respective communication links. Servers 

25 222a-222m include information and databases accessible by PCs 
220a-220n. The on-line VBI system of the present invention 
resides on one or more of Servers 222a-222m. 

In this embodiment, each client system 220a-220m includes 
a CPU 223, a keyboard 224, a mouse 225, a mass storage device 

30 231, main computer memory 227, video memory 228, a communication 
interface 232a, and an input/output device 226 coupled and 
interacting via a communication bus. The data and images to be 
displayed on the monitor 230 are transferred first from the video 
memory 228 to the video amplifier 229 and then to the monitor 

35 230. The communication interface 232a communicates with the 
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servers 222a-222m via a network link 233a. The network link 
connects the client system to a local network 234. The local 

5 network 234 communicates with the Internet 221. 

In one embodiment a customer, preferably licensed by the 
USPS and registered with an IBIP vendor (such as Stamps.com) , 
sends a request for authorization to print a desired amount of 
VBI, such as postage. The server system verifies that the user's 

10 account holds sufficient funds to cover the requested amount of 
postage, and if so, grants the request. The server then sends 
authorization to the client system. The client system then sends 
image information for printing of a postal indicium for the 
granted amount to a printer so that the postal indicium is 

15 printed on an envelope or label. 

In one embodiment, when a client system sends a VBI print 
request to the server system, the request needs to be 
authenticated before the client system is allowed to print the 
VBI, and while the VBI is being printed. The request is 

20 cryptographically authenticated using an authentication code. 
The client system sends a password (or passphrase) entered by a 
user to the server for verification. If the password fails, a 
preferably asynchronous dynamic password verification method 
terminates the session and printing of the VBI is aborted. Also, 

25 the server system communicates with a system located at a 
certification authority for verification and authentication 
purposes . 

In one embodiment, the information processing components of 
the on-line VBI system include a client system, a postage server 
30 system located in a highly secure facility, a USPS system and the 
Internet as the communication medium among those systems. The 
information processing equipment communicates over a secured 
communication line . 

Preferably, the security and authenticity of the information 
35 communicated among the systems are accomplished on a software 
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level through the built-in features of a Secured Socket Layer 
(SSL) Internet communication protocol. An encryption hardware 

5 module embedded in the server system is also used to secure 
information as it is processed by the secure system and to ensure 
authenticity and legitimacy of requests made and granted. 

The on-line VBI system is based on a client/server 
architecture. Generally, in a system based on client/server 

10 architecture the server system delivers information to the client 
system. That is, the client system requests the services of a 
generally larger computer. In one embodiment, the client is a 
local personal computer and the server is a more powerful group 
of computers that house the information. The connection from the 

15 client to the server is made via a Local Area Network, a phone 
line or a TCP/IP based WAN on the Internet or any other types of 
communication links such as wireless or satellite links. A 
primary reason to set up a client /server network is to allow many 
clients access to the same applications and files stored on the 

20 server system. 

The on-line VBI system does not require any special purpose 
hardware for the client system. The client system is implemented 
in the form of software that can be executed on a user computer 
(client system) allowing the user computer to function as a 

25 virtual VBI meter. The software can only be executed for the 
purpose of printing the VBI indicia when the user computer is in 
communication with a server computer located, for example, at a 
VBI meter vendor's facility (server system). The server system 
is capable of communicating with one or more client systems 

3 0 simultaneously . 

In one embodiment, the on-line system includes the following 
subsystems: the Database subsystem, the Postal Server subsystem, 
the Provider Server subsystem, the E-commerce subsystem, the 
Staging subsystem, the Client Support subsystem, the Decision 

35 Support subsystem, the SMTP subsystem, the Address Matching 
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service (AMS) subsystem, the SSL Proxy Server subsystem and the 
Web Server subsystem, and the like, as shown in FIGs . 4 and 4A. 

5 Preferably, the Database, Postal Server, Provider, E-commerce, 
Client Support Services, SMTP, AMS, SSL Proxy Server, Web Server 
subsystems, and Staging subsystems reside in the vault while the 
Decision Support Services reside outside the vault. 

Postage servers 109 in FIG. 1 include a string of servers 

10 connected to the Internet, for example, through a Tl line, and 
are preferably protected by a firewall. The firewall permits a 
client to communicate with a server system, only if the 
information packet transmitted by the client system complies with 
a security policy set by the server system. The firewall not 

15 only protects the system from unauthorized users on the Internet, 
it also separates the Public Network (PUBNET) from the Private 
Network (PRVNET) . This ensures that packets from the Internet 
will not go to any location but the PUBNET. The string of 
servers form the different subsystems of the postal system. The 

20 services provided by the different subsystems of the on-line VBI 
system are designed to allow flexibility and expansion and reduce 
specific hardware dependancy. 

The Database subsystem is comprised of multiple databases. 
FIG. 4 illustrates an exemplary Database subsystem which includes 

25 the Postal Database 47, Postal Database Management System 47A, 
the Provider Database 42, Provider Database Management System 
42A, the E-commerce Database 46, E-commerce Database Management 
System 46A, the Membership Database 48, the Membership Database 
Management System 48A, the Staging Services Database 49, and the 

30 Staging Services Database Management System 49A protected by 
firewall 40. Different portions of the Database subsystem are 
described below. Also, the databases are referred to as a 
portion of the Database subsystem after an initial reference as 
the subsystem database (e.g., Postal Database first, then Postal 

35 portion of the Database subsystem) . A secure standby backup 
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database server (not shown) mirrors the primary database server 
to minimize the impact of any interruption of the primary 

5 database server. 

The Postal Server subsystem 41 manages client and remote 
administration access to server functionality, authenticates 
clients and allows clients to establish a secure connection to 
the on-line VBI system. The Postal Server subsystem also manages 

10 access to USPS specific data such as PSD information and a user' s 
license information. The Postal Server subsystem queries the 
Postal portion of the Database subsystem for the necessary 
information to complete the task. The query travels through the 
firewall 40 to the Postal portion of the Database subsystem. The 

15 Postal Server subsystem is the subsystem in the Public Network 
that has access to the Database subsystem. 

In one embodiment, the Database subsystem is comprised of 
multiple databases, as shown in FIG. 4A. In this embodiment, the 
Database 411 includes the Affiliate DBMS and the Source IDs DBMS. 

20 The Affiliate DBMS manages affiliate information (e.g., 
affiliate's name, phone number, and affiliate's Website 
information) that is stored on the Affiliate Database. Using the 
data from this database, marketing and business reports are 
generated. The Source IDs Database contains information about 

25 the incoming links to the vendor's Website (e.g., partners' 
information, what services the vendor offers, what marketing 
program is associated with the incoming links, and co-branding 
information) . Using the data from this database, marketing and 
business reports are generated. 

30 The Online Store Database 412 contains commerce product 

information, working orders, billing information, password reset 
table, and other marketing related information. Website database 
410 keeps track of user accesses to the vendor website. This 
database keeps track of user who access the vendor website, users 

35 who are downloading information and programs, and the links from 
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which users access the vendor website. After storing these data 
on the Website Database 410, software tools are used to generate 
5 the following information: 

Web Site Status 

Web Site Reports 

Form Results 

Download Successes 
10 • Signup, Downloads, and Demographic Graphs 

Web Server Statistics (Analog) 

Web Server Statistics (Web Analyzer) 

Offline database 409 manages the VBI data (except meter 
information) , postal transactions data, financial transactions 

15 data (e.g., credit card purchases, free postage issued, bill 
credits, and bill debits) , customer marketing information, 
commerce product information, meter license information, meter 
resets, meter history, and meter movement information. 
Consolidation Server 413 acts as a repository for data, 

20 centralizing data for easy transportation outside the vault 400. 
The Consolidation Server hosts both file and database services, 
allowing both dumps of activity logs and reports as well as a 
consolidation point for all database data. 

The Offline Reporting Engine MineShare Server 415 performs 

25 extraction transformation from the holding database that received 
transaction data from the Consolidated Database (Commerce 
database 406, Membership database 408, and Postal Database 407) . 
Also, the Offline Reporting Engine MineShare Server handles some 
administrative tasks. Transaction data in the holding database 

30 contains the transaction information about meter licensing 
information, meter reset information, postage purchase 
transactions, and credit card transactions. After performing 
extraction transformation, business logic data are stored on 
Offline Database 409. Transaction reports are generated using 

35 



-15- 



1 



39477/RRT/S850 



the data on the Offline Database. Transaction reports contain 
marketing and business information. 

5 The Data Warehouse database 414 of FIG. 4A includes all 

customer information, financial transactions, and aggregated 
information for marketing queries (e.g., how many customers have 
purchased postage) . In one embodiment, commerce Database 406 
includes a Payment Database, an E-mail Database, and a Stamp Mart 

10 Database. The E-mail DBMS manages access to the contents of e- 
mail that were sent out to everyone by vendor servers. The Stamp 
Mart database handles order form processing. The E-commerce 
Server 404 provides e-commerce related services on a user/group 
permission basis. It provides commerce-related services such as 

15 payment processing, pricing plan support and billing as well as 
customer care functionality and LDAP membership personalization 
services . 

A Credit Card Service is invoked by the E-commerce Server 
404 to authorize and capture funds from the customer's credit 

20 card account and to transfer them to the vendor's merchant bank. 
A Billing Service is used to provide bills through e-mail to 
customers based on selected billing plans An ACH service runs 
automatically at a configurable time. It retrieves all pending 
ACH requests and batches them to be sent to bank for postage 

25 purchases (i.e. money destined for the USPS), or Chase for fee 
payments which is destined for the vendor account. 

The E-commerce DBMS 406 manages access to the vendor 
specific Payment, Credit Card, and Email Databases. A Membership 
DBMS manages access to the LDAP membership directory database 408 

30 that hosts specific customer information and customer membership 
data. A Postal DBMS manages access to the Postal Database 407 
where USPS specific data such as meter and licensing information 
are stored. A Postal Server 401 provides secure services to the 
Client, including client authentication, postage purchase, and 

35 indicia generation. The Postal Server requires cryptographic 
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modules to perform all functions that involve client 
authentication, postage purchase, and indicia generation. 

Postal Transaction Server 403 provides business logic for 
postal functions such as device authorization and postage 
purchase/register manipulation. The Postal Transaction Server 
requires the cryptographic modules to perform all functions. 
There are four Client Support Servers. Address Matching Server 
(AMS) 417 verifies the correct address specified by a user. When 
the user enters a delivery address or a return address using the 
Client Software, the user does not need the address matching 
database on the user's local machine to verify the accuracy of 
the address. The Client software connects to the vendor's server 
and uses the central address database obtained from the USPS to 
verify the accuracy of the address. If the address is incorrect, 
the client software provides the user with a prioritized list of 
addresses to match the correct address. These choices are ranked 
in a user definable order. This information is represented using 
a plain text format. 

The Client Support Servers 417 of FIG. 4A provides the 
following services: a Pricing Plan service, an Auto Update 
service, and a Printer Config service. The Pricing Plan Service 
provides information on pricing plans and payment methods 
available to the user. It also provides what credit cards are 
supported and whether ACH is supported. This information is 
represented preferably using a plain text format. The Auto 
Update Service verifies whether the user is running the latest 
Client Software. If there is newer Client Software, the Auto 
Update Server downloads the new patches to the user computer. 
The Client Support Database has tables for the client software 
update information. This information is represented using a 
plain text format. 

Before the user tries to print postage, the user sends his 
or her printer driver information over the Internet in plain 
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text. The Printer Config Service looks up the printer driver 
information in the Printer Driver Database to determine whether 

5 the printer driver is supported or not. When the user tries to 
configure the printer, the user prints a test envelope to test 
whether the postage printing is working properly or not. This 
testing envelope information is sent over the Internet in plain 
text and is stored in the Client Support Database. 

10 MeterGen server 422 makes calls into the cryptographic 

module to create sufficient meters to ensure that the vendor can 
meet customer acquisition demands. SMTP Server 418 communicates 
with other SMTP servers , and it is used to forward e-mail to 
users. Gatekeeper Server works as a proxy server by handling the 

15 security and authentication validation for the smart card users 
to access customer and administration information that reside in 
the vault. 

The Proxy Server 423 uses the Netscape™ Enterprise SSL 
library to provide a secure connection to the vault 400. Audit 

20 File Server 419 acts as a repository for module transaction logs. 
The Audit File Server verifies the audit logs that are digitally 
signed. The audit logs are verified in real time as they are 
being created. Postal Server writes audit logs to a shared hard 
drive on the Audit File Server. After these logs are verified, 

25 the Audit File Server preferably moves them from the shared hard 
drive to a hard drive that is not shared by any of the vendor 
servers . 

Provider Server provides reporting and external 
communication functionality including the following services. 

30 CMLS Service forwards license applications and it processes 
responses from CMLS. The CMLS Service uses cryptographic 
functions provided by the Stamps.com Crypt library to decrypt the 
user's SSN/Tax ID/Employee ID. CMRS Service reports meter 
movement and resetting to the USPS Computerized Meter Resetting 

35 infrastructure. ACH Service is responsible for submitting ACH 
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postage purchase requests to the USPS lockbox account at the 
bank. The CMLS Service uses cryptographic functions to decrypt 
the user's ACH account number. 

After decrypting ACH account inf ormation, the ACH is 
encrypted using the vendor's script library. Then, the encrypted 
ACH file is e-mailed to the Commerce Group by the SMTP server. 
When the Commerce Group receives this encrypted e-mail, the 
vendor's Decrypt utility application is used to decrypt the ACH 
e-mail. After verifying the ACH information, the Commerce Group 
sends the ACH information through an encrypted device first and 
then uses a modem to upload the ACH information to a proper bank. 
The Certificate Authority issues certificates for all IBIP 
meters. The certificates are basically used to provide 
authentication for indicia produced by their respective meters. 

The following are exemplary steps describing the certificate 
authorization process: 

MeterGen asks the module to create a meter package, 

The module returns a package and the meter's public key, 

MeterGen creates a certificate request with the public key, 

signs the request with a USPS-issued smartcard, and submits 

the request to the USPS Certificate Authority, 

The Certificate Authority verifies the request came from 

the vendor then, it creates a new certificate and returns 

it to MeterGen, 

MeterGen verifies the certificate using the USPS 
Certificate Authority's certificate (e.g., to ensure it 
wasn't forged) and stores the certificate information in 
the package. The package is now ready to be associated 
with a customer . 

The Postal Server subsystem 401 of FIG. 4A manages client 
and remote administration access to server functionality, 
authenticates clients and allows clients to establish a secure 
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connection to the on-line VBI system. The Postal Server 
subsystem also manages access to USPS specific data such as PSD 

5 information and a user's license information. The Postal Server 
subsystem queries the Postal portion of the Database subsystem 
for the necessary information to complete the task. The query 
travels through the firewall to the Postal portion of the 
Database subsystem. The Postal Server subsystem is the subsystem 

10 in the Public Network that has access to the Database subsystem. 

In one embodiment of the present invention, Postal Server 
401 is a standalone server process that provides secure 
connections to both the clients and the server administration 
utilities, providing both client authentication and connection 

15 management functionality to the system. Postal Server 401 also 
houses postal-specific services that require high levels of 
security, such as purchasing postage or printing indicia. Postal 
Server 401 is comprised of at least one server, and the number 
of servers increases when more clients need to be authenticated, 

20 are purchasing postage or are printing postage indicia. 

In one embodiment, as illustrated in FIG. 3, the Postal 
Server subsystem 41 is physically comprised of at least one 
cryptographic module 52, at least one Postal Server 53 and at 
least one PostalX Server (PSX) 54. When the workload is 

25 increased, the number of each of these devices can be increased 
to accommodate the additional work. 

In one embodiment of the present invention, the 
cryptographic modules 52 are FIPS 140-1 certified hardware cards 
that include firmware to implement PSD functionality in a 

30 cryptographically secure way. The cryptographic modules are 
inserted into any of the servers in the Postal Server 
Infrastructure. The cryptographic modules are responsible for 
creating PSDs and manipulating PSD data to generate and verify 
digitally signed indicia. Since the PSD data is created and 

35 signed by a private key known only to the card, the PSD data may 



-20- 



1 39477/RRT/S850 



be stored externally to the cryptographic modules without 
compromising security . 

5 In one embodiment of the present invention, Postal Server 

53 is a standalone server process that provides secure 
connections to both the clients and the server administration 
utilities, providing both client authentication and connection 
management functionality to the system. Postal Server 53 also 

10 houses postal-specific services that require high levels of 
security, such as purchasing postage or printing indicia. Postal 
Server 53 is comprised of at least one server, and the number of 
servers increases when more clients need to be authenticated, are 
purchasing postage or are printing postage indicia. 

15 The growth in the number of servers of the Postal Server 

will not impact the performance of the system since the system 
design allows for scalability. The Postal Server is designed in 
such a way that all of the business logic is processed in the 
servers and not in the database. By locating the transaction 

20 processing in the servers, increases in the number of 
transactions can be easily handled by adding additional servers. 
Also, since each transaction is stateless (the application does 
not remember the specific hardware device the last transaction 
utilized) , multiple machines can be added to each subsystem in 

25 order to handle increased loads. In one embodiment, load 
balancing hardware and software techniques are used to distribute 
traffic among the multiple servers. 

In one embodiment of the present invention, PXS 54 is a 
standalone server process that provides trusted plain-text access 

30 to in-vault components. PXS 54 hosts postal-specific services 
that are protected from access external to the vault via a 
firewall. The PostalX Services provide business logic for postal 
functions such as device authorization and postage 
purchase/register manipulation. The PXS services require 

35 cryptographic modules to perform all functions because the PXS 
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services are vital to the system' s integrity and are protected 
by encryption. The PXS services can be located on one physical 
5 server or multiple machines depending on the number of postal- 
specific transactions . 

The growth in the number of servers of the PostalX Server 
will not impact the performance of the system since the system 
design allows for scalability in two ways. the PostalX Server 
10 is designed in such a way that all of the business logic is 
encapsulated in the servers, not in the database. By locating 
the transaction processing in the servers, increases in the 
number of transactions can be easily handled by adding additional 
servers. Also, since each transaction is stateless, multiple 
15 machines can be added to each subsystem in order to handle 
increased loads. In one embodiment, load balancing hardware and 
software techniques are used to distribute traffic among the 
multiple servers. 

Referring back to FIG. 4, the Postal Database Management 
20 System 47A manages access to the Postal section of the Database 
subsystem where USPS specific data such as meter and licensing 
information is stored. The Postal Database Management System is 
scalable and can be expanded to meet the needs of the Postal 
Server subsystem. The database schema design allows for the data 
25 to be partitioned across multiple physical databases. In one 
embodiment of the invention, the database is managed by 
relational database management software, such as MS SQL Server 
or the like. In one embodiment, the Postal Database Management 
System runs on two hardware servers. 
30 The Postal Database 47 is a secure database that stores all 

information for the Postal Server subsystem. The Postal portion 
of the Database subsystem contains the postal-specific 
information such as licensing, registration, and meter-specific 
data for all of the customers. Access to the Postal portion of 
35 the Database subsystem occurs through the Postal Server 
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subsystem. Each piece of client software has a unique software 
serial number, which will be generated and kept in the database 

5 during product registration. 

Provider subsystem 42B provides reporting and external 
communication functionality for the Postal Information System. 
Preferably, the Provider subsystem is located on the PRVNET along 
with the Database Subsystem and communicates directly with the 

10 Database Subsystem when the Provider Subsystem services request 
Database subsystem information. As shown in FIG . 3, Provider 
Subsystem 42B includes Provider Server 55 and Provider Database 
42. The Provider Subsystem 42B includes the following services: 
Central Metering License Services (CMLS) , Central Meter Resetting 

15 Services (CMRS) , Automated Clearing House (ACH) transactions, 
Credit Card services and Billing services. In one embodiment the 
Provider subsystem 42B runs on two hardware servers as shown in 
FIG. 4. 

The CMLS service forwards license applications to and 

20 processes requests from the CMLS in the USPS through a CMLS/CMRS 
communication link. The CMRS service provides meter movement and 
meter resetting information through the CMLS/CMRS communication 
link to the USPS Computerized Meter resetting infrastructure. 
The ACH Service submits ACH postage purchase requests through an 

25 ACH communication link to a USPS lockbox account at a bank. The 
Credit Card Service is invoked by the E-commerce services to 
authorize and capture funds from the customer's credit card 
account and transfer them to a designated merchant bank. The 
Billing Service provides bills through e-mail to customers based 

30 on selected billing plans. All of the Provider subsystem's 
communication with external devices is secure, since the 
communication is encrypted. 

The services included in the Provider subsystem 42B are 
classified as either services running across multiple servers or 

35 Singleton services. A Singleton service is a service where only 
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one effective instance is executing at one time, so multiple 
operations of the service will not be operating at the same time. 

5 Preferably, the CMLS , CMRS and ACH services are all Singleton 
services and are not scalable because they transmit data in a 
specific format at specified times to external USPS or banking 
systems. The remaining services in the Provider subsystem 
(Credit Card and Billing services) are scalable and can be run 

10 on multiple servers. 

The Provider Database Management System 42A manages access 
to the Provider section of the Database subsystem where Provider 
specific data such as Meter resetting records, Postage Value 
Download (PVD) information, batch status information and CMLS 

15 license information is stored. The PVD information is included 
in the log file that is sent to the USPS on a regular basis. The 
Provider Database Management Services are scalable and can be 
expanded to meet the needs of the Provider Server subsystem. 
The schema design allows for the data to be partitioned across 

20 multiple physical databases. In one embodiment, the Provider 
Database Management System runs on two hardware servers. 

The Provider Database 42 is a secure database that stores 
all information for the Provider Server subsystem. The Provider 
portion of the Database subsystem contains Provider subsystem 

25 specific data such as Meter resetting records, PVD information, 
batch status information and CMLS license information. 

The E-commerce subsystem 46B, shown in FIG. 3, provides 
functionality for the E-commerce related services required by 
Customer Support personnel and system administrators. The 

30 Customer Support personnel and system administrators access the 
on-line postage system through the E-commerce subsystem. E- 
commerce subsystem 46B communicates with the Database subsystem 
through the Postal Server subsystem and preferably is connected 
to a Public Network. The E-Commerce subsystem also provides 

35 commerce-related services, such as payment processing, pricing 



-24- 



1 



39477/RRT/S850 



plan support and billing, as well as customer care functionality 
and Lightweight Directory Access Protocol (LDAP) membership 

5 personalization services. 

LDAP is a protocol for accessing online directory services 
over the TCP/IP network protocol and can be used to access 
standalone LDAP directory services or directory services 
supporting the X.500 standard. It provides a standard way for 

10 Internet clients, applications and Web servers to access 
directory listings of large number of Internet users. 

E-Commerce subsystem 46B also includes a group of servers 
and databases including the Proxy Services 43, E-commerce Servers 
44, E-commerce Database 46, Membership Database 48, E-commerce 

15 Database Management System 46A, Membership Database Management 
System 48A, and Credit Card Server 45. 

Proxy Services 43 provide Customer Support and authenticated 
access for administrators to the E-Commerce Servers. In one 
embodiment, the Proxy Services run on one hardware server. The 

20 E-commerce Services, such as payment processing, pricing plan 
support, billing, customer care functionality and LDAP membership 
services run on the E-commerce Servers 44. The number of the E- 
commerce servers can easily be increased to meet the growing 
needs of the E-commerce subsystem. The growing number of servers 

25 will not impact the performance of the on-line postage system 
because the system design allows for scalability of the servers. 

E-commerce Database Management System 4 6A manages access to 
E-commerce Database 46 where commerce related information is 
stored, as shown in FIG. 4. E-Commerce Database 46 includes 

30 information on non-postal commerce transactions, credit card 
validations, customer invoicing, etc. E-commerce Database 
Management System 46A is scalable and may easily be expanded to 
meet the needs of the system. If the number of E-commerce 
related transactions increase, the database schema design allows 

35 for the data to be partitioned across additional physical 



-25- 



1 39477/RRT/S850 



databases. The schema can be easily updated to add new devices 
and incorporate them into the Database subsystem. In one 
5 embodiment, the E-commerce Database Management System is resident 
on two hardware servers. The E-commerce portion of the Database 
subsystem includes specific data such as purchase transactions , 
pricing plans, billing information, and customer account 
information . 

10 Membership Database Management System 48A provides access 

to Membership database 48. The Membership Database Management 
System manages access to the LDAP membership directory database 
that hosts specific customer information and customer membership 
data. The Membership Database contains all customer and internal 

15 user profile information, plus security information for all 
internal system users. The Membership Database Management System 
is scalable and expands to meet the needs of the system. If the 
number of customer profile transactions increase, the database 
schema design allows for the data to be partitioned across 

20 additional physical databases. The schema can be easily updated 
to add new devices and incorporate them into the Database 
subsystem. In one embodiment, Membership Database Management 
System 48A is resident on two hardware servers. The Membership 
portion of the Database subsystem includes specific customer 

25 profile information . 

The SSL Proxy server (part of Proxy 43) allows secure HTTP 
access from a web browser and is used by the system 
administrators to access the e-commerce subsystem. Web Server 
56A is used to maintain the website, facilitate the customer 

30 support activities and distribute the client software to 
interested parties. Web Server 56A communicates with the clients 
58 through the Internet 221 and the internal departments via the 
Intranet LAN 40A. The information for maintaining the website 
and tracking affiliate performance is located in Website Database 

35 56. An Affiliate Database (not shown) stores client software 
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versions, affiliate profiles and tracking codes and Advertising 
and Marketing tracking numbers. 

5 FIG. 5 illustrates more subsystems of the exemplary on-line 

postage system, namely, AMS servers 61, Client Support Servers 
62, Client Support Database Management System 62A, Client Support 
Database 62B, the Decision Support Services (DSS) Database 
Management System 63A, DSS database 63, Staging Database 

10 Management System 66A and Staging Database 66, SMTP server 65, 
and Backup Services 65. 

SMTP server 65 runs the internal and external E-mail 
systems. The Staging Services subsystem coordinates aggregation 
of business data. Preferably, each night, all of the changes 

15 made in the Database subsystem in the last 24 hours are loaded 
into Staging Database 66. Staging Services Database Management 
System 66A manages access to Staging Database 66. After 
gathering changes in the databases, Staging Services Database 
Management System 66A strips out all of the critical data such 

20 as credit card numbers and critical USPS specific information, 
and moves the changes to offline databases. Staging Services 
Database Management System 66A is scalable and may be easily be 
expanded to meet the needs of the system. In one embodiment, the 
Staging Services Database Management System is resident on two 

25 hardware servers . 

Backup Services subsystem 64 provides the data backup for 
the Database subsystem. The first backup is the secondary 
Database Server, which is a live standby server that mirrors the 
primary Database server as described above. The second backup 

30 is a transaction log on the Postal Server that is stored (off- 
loaded) preferably every couple of minutes in a tape backup 
device, which allows the system administrators to reconstruct the 
system up to the last transactions if a database failure occurs. 
Finally, the entire Database subsystem is backed up every day and 

35 
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archived off premises to ensure that the data is available if the 
physical on-line VBI system suffers catastrophic failure. 

The AMS subsystem 61 validates source and destination 
addresses against a USPS table to verify the mail is being sent 
to a recognized location. This service is utilized each time the 
user attempts to print postal indicia. The AMS system is used 
when a user enters a delivery address or a return address using 
the client software. The user does not need the address matching 
database on the user's local machine to verify the accuracy of 
the address. The client software connects to the Postage Server 
and uses a central address database obtained from the USPS to 
verify the accuracy of the address. If the address is incorrect, 
the client software provides the user with a prioritized list of 
addresses to match the correct address. Preferably, these 
choices are ranked in order according to the type of match. 

Since the printing of VBI indicia is the most common 
transaction in this system, this service is separated from other 
services in order to ensure the AMS does not create performance 
problems in the on-line VBI system. All of the services, except 
for the previously-mentioned Singleton services, are scalable and 
are modified to adjust to the number of transactions requested. 
AMS transactions increase substantially when more individuals 
utilize the system so the AMS transactions are scaled separately 
from the other transactions. Preferably, load balancing services 
are used to assist distributing the workload to the AMS servers. 
In one embodiment, the AMS Services run on two servers. 

The Client Support Services subsystem 58 of FIG. 3 is 
comprised of the client services that typically do not require 
secure transactions. Client Support Services subsystem 58 of 
FIG. 3 includes the Client Support Servers 62, the Client Support 
Database Management System 62A, and the Client Support Database 
62B, as shown in FIG 5. The services that execute on the Client 
Support Servers preferably include, Registration Services, Auto- 
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Update Service, Printer Config Service, Postal Rate Info Service, 
and Printer DB Update Service. The Client Support Services are 

5 typically low in volume, however, the number of servers and the 
capacity of the database can be readily scaled according to the 
workload of the system. In one embodiment, the Client Support 
Services are run on two servers. 

The Registration Services includes supported payment type 

10 and billing plan information. The Auto-Update Service updates 
the client software when new client software versions are 
released. The Printer Configuration Services assist in setting 
up the printer to guarantee that the indicia printed meets USPS 
criteria. The Rates Service calculates the correct rate for the 

15 client based on class, destination and weight. The Printer 
Database Service updates the on-line VBI system with any new 
printer or printing information. 

The Client Support Database Management System 62A of FIG. 
5 manages access to the Client Support Database (CSD) 62B. The 

20 processing requirements of CSD 62B are low, but availability of 
the CSD is vital, so multiple physical servers running in a 
cluster are necessary to ensure this availability. In one 
embodiment, the Client Support Database Management System runs 
on two hardware servers connected to one external CSD storage 

25 devices. 

CSD 62B is an external storage component for the Client 
Support Services subsystem 58 . Transactions executing on the 
Client Support Servers requiring storage utilize the CSD 62B. 
The data storage size requirements for CSD 62B are relatively 
30 low. As the number of Client Support Services transactions 
grows, the database will grow. The database schema design allows 
for the data to be partitioned across multiple physical 
databases . 

The Decision Support System (DSS) includes the DSS Database 
35 Management System 63A and the DSS Database 63, as shown in FIG. 
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5. The DSS allows restricted (read-only, time delayed) access 
to the postal data. The DSS Database Management System 63A 

5 controls access to DSS Database 63. In one embodiment, the DSS 
various accounting tasks for the Staging Services Database 
Management System. As the processing requirements of the DSS 
vary, the availability of the DSS subsystem may also vary. 
Therefore, DSS Database Management System 63A runs in a cluster 

10 on multiple servers to ensure DSS availability. DSS Database 63 
is preferably offline and includes most or all of the user's 
profile information. Preferably, Staging Database 66 receives 

a nightly automatic delta update, which gathers all of the data 
that has changed over the previous 2 4 hours. The data that has 

15 changed over the last 24 hours is filtered according to data 
access guidelines. The data is transferred from Staging Database 
66 to DSS Database 63. The update is a one-way update only. 
After the data has been moved, it is available for reading and 
queries for the Marketing, Finance, Customer Support and 

20 Management departments. DSS Database 63 contains user profile 
information, including historical transaction information. As 
the number of DSS transactions grows, DSS Database 63 grows to 
accommodate the additional transactions. A database schema 
design allows for the data to be partitioned across multiple 

25 physical databases . 

The on-line VBI system is designed to prevent unauthorized 
electronic access to the Database subsystem. FIG. 6 illustrates 
the hardware components that provide the security to the Database 
subsystem. The first line of defense is firewall 40, which 

30 prevents unauthorized access to the servers. Firewall 40 is 
connected to Public Network 73 and Private Network 72. Router 
71A and switch 71B direct data from Internet 221 to firewall 40 
and together, serve as the portal from the Internet 221 to the 
on-line VBI system servers. Stack Hubs 74A and 74B interface 

35 
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Public Network 73 and Private Network 72 to the firewall 40 
respectively . 

5 Connected to Public Network 73 through Stack Hub 74A are 

Postal Server subsystem 41 and E-commerce subsystem 46B. 
Cryptographic module 52 is connected to Postal Server subsystem 
41. Connected to Private Network 72 through Stack Hub 74B are 
Provider subsystem 42B, a Back up database 76 that mirrors 

10 information as data is stored, and the primary database 51. A 
tape back up system 75 is connected to primary database 51 for 
periodically backing up the database. 

The second line of defense is the protection of the Database 
subsystem by the Postal Server Subsystem. The Public Network 73 

15 includes the E-commerce subsystem 46B and the Postal Server 
subsystem 41. The Private Network 72 includes the Database 
subsystem 51 and the Provider subsystem 42B. The firewall 40 is 
configured to deny access to the Private Network 72 by 
unauthorized users. The only access to the Private Network 72 

20 (specifically the Database subsystem 51) by external users is 
through the firewall 40. In the Public Network 73, the Postal 
Server subsystem 41 controls access to the Private Network 72. 
In one embodiment, dual Cisco PIX 520 hardware firewalls 
including two independent Network Interface Cards (NIC) are used 

25 for firewall 40 . 

The Postal Server subsystem 41 executes an authentication 
algorithm for dynamically and asynchronously verifying passwords 
to ensure that only properly authenticated users are allowed 
access to the Database subsystem 51. The Postal Server subsystem 

30 41 runs software built around the authentication algorithm, and 
thus acts as a gatekeeper to prohibit unauthorized users from 
entering the Postal Server subsystem 41and the Database subsystem 
51. Preferably, only the custom made software built around the 
authentication algorithm runs on the Postal Server subsystem 41 

35 for security purposes. 
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Information in the Database subsystem 51 can be retrieved 
or altered only by accessing the database through the Postal 

5 Server subsystem 41. However, the authentication algorithm 
executed by the Postal Server subsystem 41 prevents unauthorized 
access to the Database subsystem 51 resulting in secure 
information in the Database subsystem. Preferably, the E- 
Commerce subsystem 46B, also, only communicates with the Database 

10 subsystem 51 through the Postal Server subsystem 41. The 
Provider subsystem 42B communicates with the Database subsystem 
51 directly through the Private Network 72. 

The communications between the cryptographic modules and the 
Postal Server subsystem are secured and authenticated through a 

15 security protocol. This protocol includes two distinct states. 
The first state is the registration/authorization state that is 
a one-time only (per user) state in which the client software and 
each cryptographic module preferably cooperate in establishing 
two shared secrets: a user secret (e.g., a password) and a hashed 

20 message authentication key (HMK) . The second state is the 
operational state that follows a successful completion of the 
registration/authorization state. The operational state is the 
normal transaction state for client software and each 
cryptographic module . 

25 In the first part of the authorization state, the 

cryptographic module should authenticate itself to the client 
software by a challenge-response protocol. The cryptographic 
module and the client software share a public cryptography key 
pair that preestablishes a condition of trust. The cryptographic 

30 module keeps the private key, and a copy of the corresponding 
public key is embedded in the client software. The client 
software generates a random number as a challenge message and 
sends it as cleartext to the cryptographic module. The 
cryptographic module responds by signing the received challenge 

35 with its private key and returns the resulting ciphertext to the 
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client software. Using the public key, the client software signs 
the challenge message it had sent and compares it to the 

5 cryptographic module's signature of the same challenge message 
received from the cryptographic module. If the signed messages 
compare, the cryptographic module is authenticated. 

Once the cryptographic module is authenticated, the client 
software generates a HMK and prompts the user for a password. 

10 The client software then encrypts both the HMK and the user's 
password with its public Key, and sends this ciphertext to the 
cryptographic module. The user's name is also sent in clear text 
to the Postal Server. The cryptographic module uses its private 
RSA key to decrypt the password and the HMK. The PSD now has 

15 both the HMK and the user's password. This information is 
associated with the user's name and is cryptographically stored 
in the database . 

With the success of the authorization state, the client 
software not only trusts the cryptographic module, but also 

20 shares a common HMK with the cryptographic module, which it uses 
to sign and challenge each successive message. FIG. 7 
illustrates client software and cryptographic module (PSD) 52 
communication during the operational state. Client software 53 
sends a new challenge message to cryptographic module 52, as 

25 shown by 81. The cryptographic module response by signing the 
challenge with the shared HMK and then sends this ciphertext back 
to the client software, along with its own challenge, as shown 
by 82. Client software 53 compares the ciphertext of the 
challenge it originally sent to the cryptographic module, and 

30 also signs the message received from the cryptographic module. 
If the signatures compare, the client software trusts the 
cryptographic module for this transaction. Client software 53 
uses the cryptographic module challenge message to authenticate 
itself to cryptographic module 52 . 

35 
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Client software 53 now sends the signed challenge that 
cryptographic module 52 had sent, with the addition of the client 

5 software local record of the user's ascending and descending 
registers, as shown by 83. (The ascending register records the 
amount of postage that is dispensed or printed on each 
transaction and the descending register records the value or 
amount of postage that may be dispensed and decreases from an 

10 original or charged amount as postage is printed.) 

The client software also sends a cleartext of the challenge 
and the transaction message, as shown by 84. Next, the client 
software sends a Hash Message Authentication Code (HMAC) for all 
of the data sent in 83 and 84, using shared HMK, as shown by 85. 

15 HMAC is a digital signature created using a hash algorithm with 
an arbitrary message and the secret key (HMK) . The client 
software sends the original arbitrary message and the HMAC to 
Postal Server via the network. HMK, as the HMAC Key, stays in 
the client software 53. The cryptographic module 52 already has 

20 a copy of HMK because it was sent over to Postal Server during 
the user registration process. In another embodiment, Data 
Encryption Standard Message Authentication Code (DES MAC) is used 
instead of HMAC. 

Once 83, 84, and 85 are received by cryptographic module 52, 

25 the cryptographic module verifies that the client software's 
response is identical with its local calculation of the same. 
This ensures that the message was not tampered with during 
transit. The cryptographic module then verifies the challenge 
it received from the client software, in fact, the challenge the 

30 cryptographic module had sent to the client software. This 
authenticates the client software to the cryptographic module. 

Next, the cryptographic module verifies that the record of 
the ascending and descending registers that the client software 
sent is identical to the cryptographic module's local record of 

35 the same registers. This ensures that the client software's 
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record of postage available and postage printed matches the 

cryptographic module's record. Upon a successful verification 
5 of the above, the cryptographic module performs the transaction 

(as shown by 86) and then sends a new challenge to the client 

software, for the next round of authentication. 

In one embodiment, the checkpoint concept operates in the 

following manner. Each module retains in its memory records 
10 relating to the three most recent transactions that modified a 

PSD package. For example, these records include the following 

data items: 

PSD meter ID 

• Transaction type 
15 • Transaction amount 

PSD AR value 
PSD DR value 

• Module serial number 

Date/time stamp (for record replay detection) 
20 • Module total amount reset 

• Module total amount printed 

• Module total amount refunded 

The record of the most recent transaction is also output to 
the database and is protected from modification by a DES MAC 

25 generated using the key HMK_chkpt . When a PSD transaction is to 
be performed, the checkpoint record from the database is input 
along with the PSD package for the meter. Preferably, all IBIP 
commands to the modules are handled by the function sdx dispatch. 
Within dispatch, the checkpoint record from the database is 

30 compared with the most recent checkpoint record stored in the 
module memory. If they match, it is highly likely that no 
switchover of the database (resulting in lost records) has 
occurred. The module then trusts that the PSD package is up to 
date and allows the IBIP command to be executed. When the IBIP 

35 command is completed, the checkpoint record is updated and output 
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to the server for database storage along with the updated PSD 
package . 

5 In the case of create indicium commands, the server first 

confirms that the updated records have been stored on the 
database before the indicium is transmitted to the client for 
printing. (Server transaction logs keep a record of all messages 
sent to clients.) In the case of the provider commanding postage 

10 value download or create refund indicium, the server reports an 
error if the database fails to correctly store the updated 
checkpoint record and PSD package. 

If the comparison of internal and external checkpoint 
records does not match, the module will not execute the IBIP 

15 command and an error code is returned to the server. The server 
then sends a command called "Auto-Recover module Checkpoint" to 
the module. This command allows a controlled rollback to an 
older checkpoint if the external checkpoint record matches either 
of the two older checkpoint records stored in the module internal 

20 memory. The module updates its internal records using data from 
the accepted checkpoint and outputs audit log records to document 
the more recent PSD transactions that are to be discarded 
(transactions more recent than the accepted checkpoint) . If none 
of the module's internal checkpoint records match the record 

25 input from the database, auto-recovery fails and an error is 
returned to the server. This module is now effectively inhibited 
from processing PSD packages and operator intervention, using the 
disaster recovery process, is needed to return it to operation. 
In summary, the checkpoint validation and auto-recovery 

30 processes allows the module to verify that the database providing 
records is up to date and to automatically re-synchronize the 
module with the database if possible. 

The next level of security is achieved by encrypting all 
communications between the client and the Postal Server 

35 subsystem. The encryption-decryption function is employed using 
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an encryption algorithm, for example, RSA public key encryption 
algorithm. The client has a unique public and private key pair 
5 generated by the Postal Server subsystem that is embedded in the 
client software and these keys are used for encrypting/decrypting 
communications between the client and the Postal Server 
subsystem. 

The user secret key (HMK) is further encrypted by using the 
10 public key of the cryptographic module 52 shown in FIGs . 3 and 
6. HMK gets encrypted with its PSD encryption keys (3DES) by the 
cryptographic module 52. Then, the encrypted HMK is stored in 
the Database subsystem 51 along with other PSD information. In 
one embodiment, the cryptographic module 52 is embedded in the 
15 hardware where Postal Server 41 is running. The Postal Server 
41 is connected to the Public Network 73. The cryptographic 
module 52 is used to decrypt the encrypted secret key of the user 
that is stored in the Database subsystem. The user authenticates 
itself with every request by digitally signing every request 
20 using the secret HMK. The cryptographic module 52 verifies the 
user signature using its copy of HMK stored in the Database 
subsystem 51 . 

The interaction between the cryptographic modules and the 
Database subsystem provides two more levels of security. The 

25 first level of security is the cryptographic module verifying 
last transactions with the Database subsystem and the second 
level of security is the cryptographic protection of internal 
storage registers in the cryptographic modules. In one 
embodiment, the cryptographic modules store up to five 

30 transactions in a respective internal register. The number of 
transactions compared in the verification process system may be 
set by the system administrator. A verification process 
compares a predetermined number of last transactions . The 
database subsystem stores a table that preferably includes the 

35 cryptographic module (s) present in the Postal Server subsystem 



-37- 



1 39477/RRT/S850 



41, the cryptographic module serial numbers, the time of the last 
transaction the cryptographic module processed, the date of the 

5 last transaction the cryptographic module processed and the value 
of the last transaction the cryptographic module processed. 
Other values related to a transaction and a cryptographic module 
can also be saved for verification purposes. An example of the 
cryptographic module table, where the Postal Server subsystem has 

10 four cryptographic modules, is illustrated below. 



15 



Cryptographic 
module 


Cryp tographi c 
module 
Serial. # 


Transaction 
Time 


Transaction 
Date 


Transaction 
Value 


1 


34576590 


11:53 PM 


08/06/99 


$ 0.33 


2 


34582152 


07 : 30 AM 


08/05/99 


$ 7.55 


3 


34593104 


03:00 PM 


08/02/99 


$ 3.45 


4 


34593992 


11:22 AM 


08/03/99 


$ 5.78 



20 

When a cryptographic module 52 loads a new PSD out of the 
Database subsystem 51 (performing a transaction) , the 
cryptographic module's register, containing the last 
transaction's time, date and value, is verified against that 

25 cryptographic module's entry in the Database subsystem's 
cryptographic module table. The time, date or value for each 
transaction stored in each cryptographic module should match the 
corresponding values for the respective cryptographic module 
stored in the database for the verification process to be 

2Q successfully completed. 

Cryptographic modules do not load new PSD transactions 
unless the verification process has been successfully completed. 
If any of the compared values is found to be different, 
preferably the whole system shuts down until authorized personnel 

or can investigate the situation. In one embodiment, the threshold 
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in the system is adjustable so that the system may be set to shut 
down if one, two or more cryptographic modules fail the 

5 verification process. The registers of each cryptographic module 
are cryptographically protected against any unauthorized access 
of the database. This provides another level of security. 

Additionally, the Database subsystem for the on-line VBI 
system is designed to allow for easy recovery from minor or major 

10 failures. A dual redundancy (backup) database server is 
connected to the on-line VBI system to mitigate the damage caused 
by the failure of the primary database server. In one 
embodiment, a backup database automatically carries all of the 
responsibilities of the primary Database server until the primary 

15 database server is repaired. Preferably, the Database subsystem 
is monitored 24 hours a day to immediately recognize problems. 

In order to maintain data protection in case of media 
failure, software error (system crash), or power outage, a 
cryptographically protected transaction log on the primary 

20 database server is off-loaded to tape periodically throughout the 
day. The transaction log does not need to be a real time backup, 
but the number of transactions lost would be minimized since the 
backup occurs periodically throughout the day. 

In addition, on a daily basis, the data in the Database 

25 subsystem is backed up to a backup system, such as a tape backup 
system, and stored off premises in a secure facility. After the 
daily backup is completed, a transaction log of the primary 
database server is backed up to a backup system, such as a tape 
drive, and stored off premises in a secure facility with the data 

30 backup of the database subsystem. 

Minor failures of the primary database subsystem, for 
example media failure, power outages and software error, are 
easily handled in the on-line VBI system. In one embodiment, to 
change from the backup Database server in the case of the failure 

35 of the primary database server, the system administrator changes 
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the IP address to that of the backup database server and makes 
the primary database server the backup database server. Next, 

5 the system administrator resets the database server and loads the 
latest encrypted transaction log. The system administrator uses 
a cryptographic module to decrypt the transaction log and the 
decrypted information from the transaction log is loaded into the 
Database subsystem. 

10 In the case of catastrophic failure, e.g. loss of the 

database and the cryptographic modules, as long as the 
transaction log and daily backups are stored off premises, the 
data can be recovered. The data is recovered by storing a 
cryptographic module in an off-site secure location close to the 

15 stored transaction logs, daily backups and backup on-line VBI 
system. The backup of the system is combined with the 
transaction log to reinstate all of the accounts contained in the 
transaction log. 

In one embodiment of the invention, the daily backups and 

20 the transaction logs are downloaded to a tape. If a catastrophic 
failure occurs, then the latest daily backup tape is loaded onto 
the backup on-line VBI system. Next, the cryptographic module 
decrypts the backup tape and the decrypted information from the 
backup tape is loaded into the Database subsystem. Then, the 

25 cryptographic module decrypts the transaction log and the 
decrypted information from the transaction log is loaded into the 
Database subsystem . 

Preferably, the verification process that the cryptographic 
module performs with the cryptographic module table in the 

30 Database subsystem is not performed, because the new 
cryptographic module does not have any record of previous 
transactions, since it was sitting in a vault off premises from 
the on-line VBI system. The transaction log is cryptographically 
protected so that unauthorized personnel cannot manipulate the 

35 data. 
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The cryptographic module is able to trust the 
cryptographically protected data of the transaction log because 

5 cryptographic module has knowledge of the format of the 
transaction log. As a result, the entire database is recovered 
and recreated by at least one cryptographic module using the last 
transaction log and the backup data. 

It will be recognized by those skilled in the art that 

10 various modifications may be made to the illustrated and other 
embodiments of the invention described above, without departing 
from the broad inventive scope thereof. It will be understood 
therefore that the invention is not limited to the particular 
embodiments or arrangements disclosed, but is rather intended to 

15 cover any changes, adaptations or modifications which are within 
the scope and spirit of the invention as defined by the appended 
claims . 

20 



25 



30 



35 
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WHAT IS CLAIMED IS: 

1- A secure on-line system for printing value bearing 
5 items (VBI) comprising: 

a client system for interfacing with one or more users; and 
a server system capable of communicating with the client 
system over a communication network comprising: 

a secure database remote from the users including 
10 information about the users; 

computer executable code for password authentication 
to prevent unauthorized access to the database; and 

a cryptographic module for authenticating any of the 
one or more users. 

15 

2. The system of claim 1, wherein the database is 
accessible through a private network connected to the 
communication network . 

20 3. The system of claim 2, further comprising a firewall 

for preventing unauthorized access by a person external to the 
private network . 

4. The system of claim 1, wherein the cryptographic module 
25 encrypts transactions related to the database. 

5. The system of claim 1, wherein the computer executable 
code for password authentication comprises of computer executable 
code for an asynchronous dynamic password verification to 

30 terminate a user session if the password authentication fails. 

6. The system of claim 1, wherein the database stores a 
first set of one or more last database transactions and the 
cryptographic module stores a second set of one or more last 

35 database transactions for comparison with the first set of one 
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or more last database transactions stored in the database to 
verify each database transaction. 

5 

7. The system of claim 6, wherein the cryptographic module 
prevents further database transactions if the second set of one 
or more last transaction stored in the cryptographic module does 
not compare with the first set of one or more last transaction 

10 stored in the database. 

8. The system of claim 6, wherein the database stores a 
table including the respective information about a last 
transaction and a verification module to compare the information 

15 saved in the module with the information saved in the database. 

9. The system of claim 1, further comprising a back up 
database server connected to the server system for periodically 
backing up the data stored in the database in a back up database. 

20 

10. The system of claim 9, further comprising a 
cryptographically protected transaction log stored in the back 
up database . 

25 11. The system of claim 1, wherein the cryptographic module 

includes internal registers and the data in the internal 
registers is cryptographically protected. 

12. The system of claim 1, further comprising a plurality 
30 of security device transaction data stored in the database for 

ensuring authenticity of the one or more users, wherein each 
security device transaction data is related to a user. 

13. The system of claim 12, wherein the security device 
35 transaction data related to a user is loaded into the 
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cryptographic module when the user requests to operate on a value 
bearing item. 

5 

14. The system of claim 13, wherein the security device 
transaction data related to a user is updated and returned to the 
database . 

10 15. The system of claim 13, wherein the security device 

transaction data related to a user is processed in a stateless 
manner . 

16. The system of claim 1, further comprising at least one 
15 more cryptographic module and wherein each cryptographic module 

is capable of processing data related to any of the one or more 
users . 

17. The system of claim 1, wherein the cryptographic module 
20 includes a data validation subsystem to verify that data is up 

to date and an auto-recovery subsystem for allowing the module 
to automatically re-synchronize the module with the data. 

18. The system of claim 1, wherein the cryptographic module 
25 is stateless . 

19. The system of claim 1, wherein the cryptographic module 
includes a computer executable code for preventing unauthorized 
modification of data. 

30 

20. The system of claim 1, wherein the cryptographic module 
includes a computer executable code for preventing unauthorized 
disclosure of data. 

35 
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21. The system of claim 1, wherein the cryptographic module 
includes a computer executable code for ensuring the proper 

5 operation of cryptographic security and VBI related meter 
functions . 

22. The system of claim 1, wherein the cryptographic module 
includes a computer executable code for detecting errors and 

10 preventing a compromise of data or critical cryptographic 
security parameters as a result of the errors. 

23. The system of claim 1, wherein the cryptographic module 
includes a computer executable code for supporting multiple 

15 concurrent users and maintaining a separation of roles and 
operations performed by each user. 

24. The system of claim 1, wherein the database includes 
one or more indicium data elements, data for account maintenance, 

20 and data for revenue protection. 

25. The system of claim 1, wherein the database includes 
a private key associated with a user. 

25 26. The system of claim 1, wherein the database includes 

virtual meter information. 

27. The system of claim 1, wherein the database includes 
ending registers data. 

30 

28. The system of claim 1, wherein the value bearing item 
is a mail piece. 

29. The system of claim 28, wherein the mail piece includes 
35 a digital signature. 
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30. The system of claim 1, wherein the cryptographic module 
performs cryptographic function on validation information 

5 according to a user request for printing a VB1 . 

31. The system of claim 1, wherein the cryptographic module 
generates data sufficient to print a postal indicium in 
compliance with postal service regulation on a mail piece. 

10 

32. The system of claim 1, wherein the value bearing item 
is a ticket. 



33. The system of claim 1, wherein a bar code is printed 
15 on the value bearing item. 

34. The system of claim 1, wherein the value bearing item 
is a coupon. 

20 35. The system of claim 1, wherein the value bearing item 

is currency . 



36. The system of claim 1, wherein the value bearing item 
is a voucher . 

25 

37. The system of claim 1, wherein the value bearing item 
is a traveler's check. 



38. The system of claim 12, wherein each security device 
30 transaction data includes one or more of an ascending register 
value, a descending register value, a respective cryptographic 
module ID, an indicium key certificate serial number, a licensing 
ZIP code, a key token for an indicium signing key, user secrets, 
a key for encrypting user secrets, date and time of last 
35 transaction, last challenge received from a respective client 
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subsystem, an operational state of the respective module, 
expiration dates for keys, and a passphrase repetition list. 

5 

39. The system of claim 12, wherein the database includes 
a private key associated with a user. 

40. The system of claim 12, wherein each security device 
10 transaction data includes one or more of a private key, a public 

key, and a public key certificate, wherein the private key is 
used to sign module status responses and a VBI which, in 
conjunction with a public key certificate, demonstrates that the 
module and the VBI are authentic. 

15 

41. The system of claim 1, wherein the cryptographic module 
is capable of performing one or more of Rivest, Shamir and 
Adleman (RSA) public key encryption, DES, Triple-DES, DSA 
signature, SHA-1, and Pseudo-random number generation algorithms. 

20 

42. The system of claim 1, wherein the server system 
further comprises one or more of a postal server subsystem, a 
provider server subsystem, an e-commerce subsystem, a staging 
subsystem, a client support subsystem, a decision support 

25 subsystem, a SMTP subsystem, an address matching service 
subsystem, a SSL proxy server subsystem, and a web server 
subsystem. 

43. The system of claim 1, wherein the database includes 
30 one or more of a postal database, a provider database, an e- 

commerce database, an affiliate database, a website database and 
a membership database. 

44. The system of claim 1, further comprising an offline 
35 database for storing one or more postal transaction data, 
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financial transaction data, customer marketing information, 
commerce product information, meter license information, meter 
5 resets, meter history, and meter movement information. 

45. The system of claim 1, further comprising a data 
warehouse database for storing customer information, financial 
transactions, and information for marketing queries. 

10 

46. The system of claim 1, further comprising a commerce 
database including one or more payment databases, an e-mail 
database, and a stamp mart database. 

15 47. The system of claim 1, further comprising an e-commerce 

server for authorizing and capturing funds from a customer's 
account and transferring the funds to a vendor's account. 

48. The system of claim 1, further comprising an address 
20 matching server for verifying a correct address specified by a 

user . 

49. The system of claim 1, further comprising a printer 
driver database for storing supported printer driver information. 

25 

50. A method for securely printing value-bearing items 
(VBI) via a communication network including a client system and 
a server system, the method comprising the steps of: 

interfacing with one or more users via the client system; 
30 communicating with the client system over the communication 

network; 

storing user information in a secure database accessible 
through the communication network; 

preventing unauthorized access to the database by users 
35 external to the communication network; and 
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authenticating one or more users using a cryptographic 
module . 

5 

51. The method of claim 50, further comprising the step of 
encrypting database transactions by the cryptographic module. 

52. The method of claim 50, further comprising the steps 

10 of 

storing one or more last database transactions in the 
database; 

storing one or more last database transactions in the 
cryptographic module; and 
15 comparing the one or more last database transactions stored 

in the database with the one or more last database transactions 
stored in the cryptographic module to verify each database 
transaction . 

20 53. The method of claim 50, further comprising the step of 

preventing unauthorized access by a person external to the 
private network using a firewall. 

54. The method of claim 50, further comprising the step of 
25 encrypting transactions related to the database by the 

cryptographic module. 

55. The method of claim 50, further comprising the steps 
of storing one or more last database transactions in the 

30 database, storing one or more last database transactions in the 
cryptographic module for comparison with the one or more last 
database transactions stored in the database to verify each 
database transaction . 

35 



-49- 



1 39477/RRT/S850 

56. The method of claim 55, further comprising the step of 
preventing further database transactions if the one or more last 

5 transaction stored in the cryptographic module does not compare 
with the one or more last transaction stored in the database. 

57. The method of claim 50, further comprising the step of 
storing a table including the respective information about a last 

10 transaction and comparing the information saved in the module 
with the information saved in the database. 

58. The method of claim 50, further comprising the step of 
backing up data stored in the database in a back up database. 

15 

59. The method of claim 58, further comprising the step of 
recovering data from the back up database by decrypting an 
encrypted transaction log stored in the back up database. 

20 60. The method of claim 50, further comprising the step of 

cryptographically protecting data in the internal registers of 
the cryptographic module. 

61. The method of claim 50, further comprising the step of 
25 storing in the database a plurality of security device 
transaction data for ensuring authenticity of the one or more 
users, wherein each security device transaction data is related 
to a user. 

30 62. The method of claim 61, further comprising the step of 

loading into the cryptographic module a security device 
transaction data related to a user when the user requests to 
operate on a value bearing item. 

35 
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63. The method of claim 62, further comprising the steps 
of updating and returning to the database the security device 

5 transaction data related to a user after the user request is 
completed . 

64. The method of claim 63, further comprising the steps 
of preventing unauthorized modification of data by the 

10 cryptographic module. 

65. The method of claim 50, further comprising the steps 
of verifying that the database is up to date. 

15 66. The method of claim 65, further comprising the steps 

of automatically re-synchronizing the cryptographic module with 
the database . 

67. The method of claim 50, further comprising the step of 
20 preventing unauthorized display of data. 

68. The method of claim 50, further comprising the step of 
ensuring the proper operation of cryptographic security and VBI 
related meter functions. 

25 

69. The method of claim 52, further comprising the steps 
of supporting multiple concurrent operators and maintaining a 
separation of roles and operations performed by each operator. 

30 70. The method of claim 50, further comprising the steps of: 

storing information about a number of last transactions 
in a respective internal register of each of the one or more 
cryptographic devices ; 

storing a table including the information about a last 
35 transaction in the database; 
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comparing the information saved in the respective 
device with the respective information saved in the database; and 
5 loading a new transaction data if the respective 

information stored in the device compares with the respective 
information stored in the database. 

71. The method of claim 50, further comprising the step of 
10 storing data for creating an indicium, account maintenance, and 

revenue protection . 

72. The method of claim 50, further comprising the step of 
printing a mail piece. 

15 

73. The method of claim 72, wherein the mail piece includes 
a digital signature. 

74. The method of claim 72, wherein the mail piece includes 
20 a postage amount. 

75. The method of claim 72, wherein the mail piece includes 
an ascending register of used postage and descending register of 
available postage . 

25 

76. The method of claim 50, further comprising the step of 
printing a ticket. 

77. The method of claim 50, further comprising the step of 
30 printing a bar code. 

78. The method of claim 50, further comprising the step of 
printing a coupon. 

35 
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79. The method of claim 50, further comprising the step of 
printing currency . 

5 

80. The method of claim 50, further comprising the step of 
printing a voucher. 

81. The method of claim 50, further comprising the step of 
10 printing a traveler's check. 

82. The method of claim 61, wherein the security device 
transaction data includes an ascending register value, a 
descending register value, a respective cryptographic device ID, 

15 an indicium key certificate serial number, a licensing ZIP code, 
a key token for an indicium signing key, user secrets, a key for 
encrypting user secrets, date and time of last transaction, last 
challenge received from a respective client subsystem, an 
operational state of the respective device, expiration dates for 

20 keys, and a passphrase repetition list. 

83. The method of claim 50, further comprising the step of 
performing one or more of Rivest, Shamir and Adleman (RSA) public 
key encryption, DES, Triple-DES, DSA signature, SHA-1, and 

25 Pseudo-random number generation algorithms by each of the 
cryptographic devices. 

84. The method of claim 50, further comprising the step 
keeping track of user accesses to a vendor website by a website 

30 database. 

85. The method of claim 50, further comprising the step of 
storing postal transactions data, financial transaction data, 
customer marketing Information, commerce product information, 

35 
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meter license information, meter resets, meter history, and meter 
movement information in an offline database. 

5 

86. The method of claim 50, further comprising the step of 
storing customer information, financial transactions, and 
information for marketing queries in a data warehouse database. 

10 87 • The method of claim 50, further comprising the steps 

of authorizing and capturing funds from a customer's account and 
transferring the funds to a vendor's account by an e-commerce 
server . 

15 88. The method of claim 50, further comprising the step of 

verifying a correct address specified by a user using an address 
matching server . 

89. The method of claim 50, further comprising the step of 
20 storing supported printer driver information in a printer driver 

database . 

90. The method of claim 50, further comprising the step of 
verifying a user password before granting access to the database. 

25 

91. The method of claim 50, further comprising the step of 
storing a private key associated with a user in the secure 
database . 

30 92. An on-line system for printing value bearing items 

(VBI) comprising: 

a client system for interfacing with one or more users; 
a server system capable of communicating with the client 
system over a communication network comprising: 

35 
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a first database remote from the user including 
information about the user; 

5 a cryptographic module for authenticating any of the 

one or more users; and 

a backup database server connected to the server system for 
backing up data in a back up database. 

!0 93 - The system of claim 92, further comprising a 

cryptographically protected transaction log stored in the back 
up database for recovering data from the back up database. 

94. The system of claim 92, wherein the first database is 
15 accessible through a private network connected to the 

communication network . 

95. The system of claim 92, further comprising a firewall 
for preventing unauthorized access by a person external to the 

2 0 private network . 

96. The system of claim 92, wherein the cryptographic 
module encrypts transactions related to the database. 

25 97. The system of claim 92, wherein the cryptographic 

module includes internal registers and the data in the internal 
registers is cryptographically protected. 

98. The system of claim 92, further comprising a plurality 
30 of security device transaction data stored in the database for 
ensuring authenticity of the one or more users, wherein each 
security device transaction data is related to a user. 



35 
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99. The system of claim 98, wherein the security device 

transaction data related to a user is loaded into the 

5 cryptographic module when the user requests to operate on a value 
bearing item. 

100. The system of claim 99, wherein the security device 
transaction data related to a user is updated and returned to the 

10 database after the user request is completed. 

101. The system of claim 92, wherein the value bearing item 
is a mail piece. 

15 102. The system of claim 101, wherein the mail piece 

includes a digital signature. 

103. The system of claim 92, wherein the cryptographic 
module encrypts validation information according to a user 

20 request for printing a VBI. 

104. The system of claim 92, wherein the cryptographic 
module generates data sufficient to print a postal indicium in 
compliance with postal service regulation on a mail piece. 

25 

105. The system of claim 92, wherein the value bearing item 
is a ticket. 



106. The system of claim 92, wherein a bar code is printed 
30 on the value bearing item. 

107. A method for printing value-bearing items (VBI) via a 
communication network including a client system and a server 
system, the method comprising the steps of: 

35 interfacing with one or more users via the client system; 
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communicating with the client system over the communication 
network; 

5 storing user information in a database accessible through 

the communication networks- 
authenticating the users by a cryptographic module; and 
backing up data stored in the database in a back up 

database . 

10 

108. The method of claim 107, further comprising the step 
of recovering data from the back up database by decrypting an 
encrypted transaction log stored in the back up database. 

15 109. The method of claim 107, further comprising the step 

of encrypting database transactions by the cryptographic module. 

110. The method of claim 107, further comprising the steps 

of 

20 storing one or more last database transactions in the 

databases- 
storing one or more last database transactions in the 
cryptographic module; and 

comparing the one or more last database transactions stored 
25 in the database with the one or more last database transactions 
stored in the cryptographic module to verify each database 
transaction . 

111. The method of claim 107, further comprising the step 
30 of preventing unauthorized access by a person external to the 

private network using a firewall. 

112. The method of claim 107, further comprising the step 
of encrypting transactions related to the database by the 

35 cryptographic module. 
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5 



113. The method of claim 107, further comprising the steps 
of storing one or more last database transactions in the 
database, storing one or more last database transactions in the 
cryptographic module for comparison with the one or more last 
database transactions stored in the database to verify each 
database transaction. 



10 



15 



114. The method of claim 113, further comprising the step 
of preventing further database transactions if the one or more 
last transaction stored in the cryptographic module does not 
compare with the one or more last transaction stored in the 
database . 

115. The method of claim 107, further comprising the step 
of storing data for creating an indicium, account maintenance, 
and revenue protection. 



20 116. The method of claim 107, further comprising the step 

of printing a mail piece. 

117. The method of claim 116, wherein the mail piece 
includes a digital signature. 

25 

118. The method of claim 116, wherein the mail piece 
includes a postage amount. 

119. The method of claim 116, wherein the mail piece 
30 includes an ascending register of used postage and descending 

register of available postage. 



35 



120. The method of claim 107, further comprising the step 
of printing a ticket. 
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121. The method of claim 107, further comprising the step 
of printing a bar code. 
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SECURE AND RECOVERABLE DATABASE FOR 
ON-LINE VALUE -BEARING ITEM SYSTEM 

ABSTRACT OF THE DISCLOSURE 

An on-line value bearing item (VBI) printing system that 
includes one or more cryptographic modules and a secure database 
is disclosed. The secure database has the ability to recover 
data in case of a database failure and includes account balances 
and other information for all of the on-line value-bearing item 
system customers and is capable of preventing access by 
unauthorized users. Also, a secure communication network is in 
operation to prevent unauthorized access to the users' data 
stored in the database. 

A plurality of subsystems located on the server system side 
of the on-line VBI system provide services related to purchasing, 
accounting, and printing of VBI. Preferably, these services run 
on multiple server machines allowing the system to be scalable. 
The number of the servers can easily be increased to meet the 
growing needs of the subsystems as the numbers of transactions 
and users increase. The growing number of servers will not 
impact the performance of the on-line postage system, because the 
design of the on-line postage system allows for scalability. 

RRT/dsz 
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FOR PATENT APPLICATIONS 



Docket No. : 39477/RRT/S850 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name. 

I believe I am the original, first and sole inventor (if only one name is listed below) or an original first and joint 
inventor (if plural names are listed below) of the subject matter which is claimed and for which a patent is sought 
on the invention entitled SECURE AND RECOVERABLE DATABASE FOR ON-LINE VALUE-BEARING ITEM 
SYSTEM, the specification of which is attached hereto unless the following is checked: 

_ was filed on _ as United States Application Number or PCT International Application Number _ and was 
amended on (if applicable). 

I hereby state that I have reviewed and understand the contents of the above -identified specification, including 
the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to patentability as defined in 37 CFR § 1.56. 

I hereby claim foreign priority benefits under 35 U.S.C. § 119(a)-(d) or § 365(b) of the foreign application(s) for 
patent or inventor's certificate, or § 365(a) of any PCT International application which designated at least one 
country other than the United States, listed below and have also identified below, any foreign application for 
patent or inventor's certificate, or PCT International application having a filing date before that of the application 
on which priority is claimed. 

Prior Foreign Application^) 

Application Number Country Filing Date fdav/month/veari Priority Claimed 



I hereby claim the benefit under 35 U.S.C. § 119(e) of any United States provisional application(s) listed below. 
Application Number Filing Date 

60/160,112 October 18, 1999 

60/160,491 October 20, 1999 

60/160,703 October 20, 1999 

60/160,563 October 20, 1999 

I hereby claim the benefit under 35 U.S.C. § 120 of any United States application^), or any PCT International 
application designating the United States, listed below and, insofar as the subject matter of each of the claims 
of this application is not disclosed m the prior United States or PCT International application in the manner 
provided by the first paragraph of 35 U.S.C. § 112, I acknowledge the duty to disclose information which is 
material to patentability as defined in 37 CFR § 1.56 which became available between the filing date of the prior 
application and the national or PCT International filing date of this application: 

Application Number Filing Date Patented/Pending/Abandoned 



POWER OF ATTORNEY: I hereby appoint the following attorneys and agents of the law firm CHRISTIE, 
PARKER & HALE, LLP to prosecute this application and any international application under the Patent 
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Cooperation Treaty based on it and to transact all business in the U.S. Patent and Trademark Office connected 
with either of them m accordance with instructions from the assignee of the entire interest in this application; 
or from the first or sole inventor named below in the event the application is not assigned; or from in the event 
the power granted herein is for an application filed on behalf of a foreign attorney or agent. 
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The authority under this Power of Attorney of each person named above shall automatically terminate and be 
revoked upon such person ceasing to be a member or associate of or of counsel to that law firm. 

DIRECT TELEPHONE CALLS TO : Raymond R. Tabandeh, 626/795-9900 
SEND CORRESPONDENCE TO : CHRISTIE, PARKER & HALE, LLP 

P.O. Box 7068, Pasadena, CA 91109-7068 
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1001 of Title 18 of the United States Code and that such willful false statements may jeopardize the validity of 
the application or any patent issued thereon. 
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